ipsilon.git/ipsilon/install, branch master Unnamed repository; edit this file 'description' to name the repository. Validate SP path settings during installation 2015-03-11T13:48:55+00:00 Nathan Kinder nkinder@redhat.com 2015-03-11T03:02:07+00:00 a1bcbfd426a6c3860edf53e12da32ff6daad4442 There are a number of URL path options that can be specified as options when running ipsilon-client-install. There are certain rules that must be followed to result in a valid mod_auth_mellon configuration: - All path options must be prefixed with '/'. - The mellon endpoint path (--saml-sp) must be a subpath of the httpd 'Location' element is it contained within (--saml-base). - The logout (--saml-sp-logout) and post (--saml-sp-post) paths must be subpaths of the mellon endpoint (--saml-sp). This adds validation for all of the above rules. https://fedorahosted.org/ipsilon/ticket/82 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
There are a number of URL path options that can be specified as
options when running ipsilon-client-install. There are certain
rules that must be followed to result in a valid mod_auth_mellon
configuration:

 - All path options must be prefixed with '/'.

 - The mellon endpoint path (--saml-sp) must be a subpath of the
   httpd 'Location' element is it contained within (--saml-base).

 - The logout (--saml-sp-logout) and post (--saml-sp-post) paths
   must be subpaths of the mellon endpoint (--saml-sp).

This adds validation for all of the above rules.

https://fedorahosted.org/ipsilon/ticket/82

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add Cache-Control header to prevent browser caching of SAML auth location 2015-03-10T22:24:08+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T18:22:47+00:00 d67664fbffe9c380a354abe115ee5afa1ff968be We should prevent browser caching of the SAML auth location that we configure for an SP. This can be easily done by adding the following directive to that location in the httpd config: Header append Cache-Control "no-cache" https://fedorahosted.org/ipsilon/ticket/81 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
We should prevent browser caching of the SAML auth location that we
configure for an SP. This can be easily done by adding the following
directive to that location in the httpd config:

    Header append Cache-Control "no-cache"

https://fedorahosted.org/ipsilon/ticket/81

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Require SSL on SP when using --saml-secure-setup 2015-03-10T22:24:01+00:00 Nathan Kinder nkinder@redhat.com 2015-03-10T03:28:47+00:00 42700be962e245243f10c30a29c41fcda1f3f712 If ipsilon-client-install is used with the --saml-secure-setup option (which is set by default), only https connections will work for authentication. We are not setting the SSLRequireSSL directive though, so we set mellon up to fail. This patch adds the SSLRequireSSL directive to the SP config when --saml-secure-setup is specified. In addition, we add a rewrite rule to rewrite http requests to https for the SP. https://fedorahosted.org/ipsilon/ticket/80 Signed-off-by: Nathan Kinder <nkinder@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
If ipsilon-client-install is used with the --saml-secure-setup
option (which is set by default), only https connections will
work for authentication.  We are not setting the SSLRequireSSL
directive though, so we set mellon up to fail.

This patch adds the SSLRequireSSL directive to the SP config
when --saml-secure-setup is specified.  In addition, we add a
rewrite rule to rewrite http requests to https for the SP.

https://fedorahosted.org/ipsilon/ticket/80

Signed-off-by: Nathan Kinder <nkinder@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Add uninstallation support. 2015-02-26T20:18:02+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-02-04T09:58:14+00:00 7ad204c13898245cdea5acfa90be83e767276994 As part of this, made all plugins use a Installer baseclass. https://fedorahosted.org/ipsilon/ticket/38 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> 
As part of this, made all plugins use a Installer baseclass.

https://fedorahosted.org/ipsilon/ticket/38

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>
Let the plugin configure calls notice failures. 2015-02-13T23:10:03+00:00 Rob Crittenden rcritten@redhat.com 2015-02-13T19:12:55+00:00 438dce6a6cb99eb3cc8028dff15cd02b6829e4b0 The call to configure the info/login/auth/provider plugins had no way of recognizing that the configuration failed. Have it check for an explicit False return value as an indication of failure. This lets the configuration plugin do a simple return (None) if it isn't enabled. Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
The call to configure the info/login/auth/provider plugins
had no way of recognizing that the configuration failed. Have it
check for an explicit False return value as an indication of failure.

This lets the configuration plugin do a simple return (None) if
it isn't enabled.

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Fix some copy-paste errors in help output 2015-01-19T14:39:47+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2015-01-12T13:24:37+00:00 9f8b66c72a015050f20a5d789a5f997b0f4ce925 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Rob Crittenden <rcritten@redhat.com> https://fedorahosted.org/ipsilon/ticket/33 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Rob Crittenden <rcritten@redhat.com>

https://fedorahosted.org/ipsilon/ticket/33
Add support for Persona Identity Provider 2014-11-14T18:06:27+00:00 Patrick Uiterwijk puiterwijk@redhat.com 2014-11-13T09:18:05+00:00 943158d19f879eb6ad515edeb59017671e4252c5 Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> Reviewed-by: Simo Sorce <simo@redhat.com> 
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Add simple SqlSession implementation 2014-11-12T22:46:52+00:00 Simo Sorce simo@redhat.com 2014-11-10T19:57:53+00:00 5e0b9747121eab67c5a3ee3bb42a677e35da7fd6 This allows us to store session data in the DB. This way session data can be shared by multiple servers behind a balancer. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
This allows us to store session data in the DB. This way session data can
be shared by multiple servers behind a balancer.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Add test to check a real database (pgsql) works 2014-11-12T22:46:47+00:00 Simo Sorce simo@redhat.com 2014-10-29T14:22:36+00:00 0087ad1e0824b4b1c49ce1468bfbb2e492ac7992 Change config template to e able to set up ipsilon with an extrenal database. For the easy install the database server must have 3 datbases configured, and named exactly: admincondif, userprefs, transactions If different names are required manual instalation will be necessary. Database URLs (including credentials) can be set using the new option named --database-url Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Change config template to e able to set up ipsilon with an extrenal
database.
For the easy install the database server must have 3 datbases configured,
and named exactly: admincondif, userprefs, transactions

If different names are required manual instalation will be necessary.
Database URLs (including credentials) can be set using the new option
named --database-url

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Refactor the data store a bit 2014-09-24T18:31:14+00:00 Simo Sorce simo@redhat.com 2014-09-08T19:55:34+00:00 9e45a0dda4cfa26b531a423fc8b1c4b10d382a0f Reduce code duplication, and clearly separates admin and user dbs. Move plugin wrapper away and let plugin code use native functions. This patch also changes the indexed data to use a uuid and assumes 2 identical uuid cannot be created concurrently. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com> 
Reduce code duplication, and clearly separates admin and user dbs.
Move plugin wrapper away and let plugin code use native functions.

This patch also changes the indexed data to use a uuid and assumes
2 identical uuid cannot be created concurrently.

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>